@farcaster/snap 1.16.1 → 1.16.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/schemas.d.ts +5 -0
  2. package/dist/schemas.js +7 -0
  3. package/dist/server/parseRequest.js +11 -3
  4. package/package.json +1 -1
  5. package/src/schemas.ts +7 -0
  6. package/src/server/parseRequest.ts +15 -3
package/dist/schemas.d.ts CHANGED
@@ -68,6 +68,11 @@ export type SnapHandlerResult = {
68
68
  effects?: z.input<typeof snapResponseSchema>["effects"];
69
69
  ui: SnapSpecInput;
70
70
  };
71
+ /**
72
+ * @deprecated `nonce` and `audience` are currently optional for backward
73
+ * compatibility but will become **required** in a future major version.
74
+ * Clients should always include both fields.
75
+ */
71
76
  export declare const payloadSchema: z.ZodObject<{
72
77
  fid: z.ZodNumber;
73
78
  inputs: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodArray<z.ZodString>]>>>;
package/dist/schemas.js CHANGED
@@ -31,12 +31,19 @@ const postInputValueSchema = z.union([
31
31
  z.boolean(),
32
32
  z.array(z.string()),
33
33
  ]);
34
+ /**
35
+ * @deprecated `nonce` and `audience` are currently optional for backward
36
+ * compatibility but will become **required** in a future major version.
37
+ * Clients should always include both fields.
38
+ */
34
39
  export const payloadSchema = z
35
40
  .object({
36
41
  fid: z.number().int().nonnegative(),
37
42
  inputs: z.record(z.string(), postInputValueSchema).default({}),
38
43
  timestamp: z.number().int(),
44
+ /** @deprecated Will become required. Clients should always send a unique nonce. */
39
45
  nonce: z.string().optional(),
46
+ /** @deprecated Will become required. Clients should always send the target server origin. */
40
47
  audience: z.string().optional(),
41
48
  })
42
49
  .strip();
package/dist/server/parseRequest.js CHANGED
@@ -77,13 +77,21 @@ export async function parseRequest(request, options = {}) {
77
77
  },
78
78
  };
79
79
  }
80
- // Audience validation: only enforce when the client sends an audience field.
81
- // v1 clients may not include nonce/audience yet.
80
+ // Deprecation: nonce and audience will become required in a future major version.
81
+ if (body.nonce === undefined || body.audience === undefined) {
82
+ console.warn("[snap] POST payload is missing nonce and/or audience. " +
83
+ "These fields will be required in a future major version. " +
84
+ "Please update your client to include both fields.");
85
+ }
82
86
  if (body.audience !== undefined) {
83
87
  let expectedOrigin = options.requestOrigin;
84
88
  if (expectedOrigin === undefined) {
85
89
  try {
86
- expectedOrigin = new URL(request.url).origin;
90
+ const url = new URL(request.url);
91
+ const proto = request.headers.get("x-forwarded-proto") ??
92
+ url.protocol.replace(":", "");
93
+ const host = request.headers.get("x-forwarded-host") ?? url.host;
94
+ expectedOrigin = `${proto}://${host}`;
87
95
  }
88
96
  catch {
89
97
  // do nothing
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@farcaster/snap",
3
- "version": "1.16.1",
3
+ "version": "1.16.3",
4
4
  "description": "Farcaster Snaps 🫰",
5
5
  "repository": {
6
6
  "type": "git",
package/src/schemas.ts CHANGED
@@ -81,12 +81,19 @@ const postInputValueSchema = z.union([
81
81
  z.array(z.string()),
82
82
  ]);
83
83
 
84
+ /**
85
+ * @deprecated `nonce` and `audience` are currently optional for backward
86
+ * compatibility but will become **required** in a future major version.
87
+ * Clients should always include both fields.
88
+ */
84
89
  export const payloadSchema = z
85
90
  .object({
86
91
  fid: z.number().int().nonnegative(),
87
92
  inputs: z.record(z.string(), postInputValueSchema).default({}),
88
93
  timestamp: z.number().int(),
94
+ /** @deprecated Will become required. Clients should always send a unique nonce. */
89
95
  nonce: z.string().optional(),
96
+ /** @deprecated Will become required. Clients should always send the target server origin. */
90
97
  audience: z.string().optional(),
91
98
  })
92
99
  .strip();
package/src/server/parseRequest.ts CHANGED
@@ -148,13 +148,25 @@ export async function parseRequest(
148
148
  };
149
149
  }
150
150
 
151
- // Audience validation: only enforce when the client sends an audience field.
152
- // v1 clients may not include nonce/audience yet.
151
+ // Deprecation: nonce and audience will become required in a future major version.
152
+ if (body.nonce === undefined || body.audience === undefined) {
153
+ console.warn(
154
+ "[snap] POST payload is missing nonce and/or audience. " +
155
+ "These fields will be required in a future major version. " +
156
+ "Please update your client to include both fields.",
157
+ );
158
+ }
159
+
153
160
  if (body.audience !== undefined) {
154
161
  let expectedOrigin = options.requestOrigin;
155
162
  if (expectedOrigin === undefined) {
156
163
  try {
157
- expectedOrigin = new URL(request.url).origin;
164
+ const url = new URL(request.url);
165
+ const proto =
166
+ request.headers.get("x-forwarded-proto") ??
167
+ url.protocol.replace(":", "");
168
+ const host = request.headers.get("x-forwarded-host") ?? url.host;
169
+ expectedOrigin = `${proto}://${host}`;
158
170
  } catch {
159
171
  // do nothing
160
172
  }